fix: removes circular dependencies to make crate publishing hell go away

.github/workflows/ci.yml

@@ -73,6 +73,9 @@ jobs:
       - name: Run tests
         run: cargo nextest run --workspace
 
+      - name: Run tests (all features)
+        run: cargo nextest run --workspace --all-features
+
       - name: Run doc tests
         run: cargo test --all --doc
 

CLAUDE.md

@@ -63,18 +63,27 @@ Private functions don't need to be documented - but you can if it seems like an
 ## Crate Architecture
 
 ```
-auths-core        →  auths-id  →  auths-cli
-(cryptography,        (identity,     (user commands)
- keychains)           git storage)
-
-auths-verifier    (standalone, minimal deps for FFI/WASM embedding)
-auths-index       (SQLite-backed O(1) attestation lookups)
-auths-nostr       (Nostr protocol integration)
+Layer 0: auths-crypto     (cryptographic primitives, DID:key encoding)
+Layer 1: auths-verifier   (standalone verification, FFI/WASM)
+Layer 2: auths-core       (keychains, signing, policy, ports)
+Layer 3: auths-id         (identity, attestation, KERI, traits)
+         auths-policy     (policy expression engine)
+Layer 4: auths-storage    (Git/SQL storage adapters)
+         auths-sdk        (application services)
+Layer 5: auths-infra-git  (Git client adapter)
+         auths-infra-http (HTTP client adapter)
+Layer 6: auths-cli        (user commands)
 ```
 
-**auths-core**: Foundation layer with Ed25519 cryptography (ring), platform keychains (macOS Security Framework, Linux Secret Service, Windows Credential Manager), and encryption primitives.
+**auths-crypto**: Layer 0 cryptographic primitives — Ed25519, KERI key parsing, DID:key encoding.
+
+**auths-verifier**: Minimal-dependency verification library for FFI/WASM embedding. Depends only on auths-crypto.
+
+**auths-core**: Foundation layer with platform keychains (macOS Security Framework, Linux Secret Service, Windows Credential Manager), signing, policy, and port abstractions.
+
+**auths-id**: Identity and attestation domain logic. Defines key traits: `IdentityStorage`, `AttestationSource`, `AttestationSink`. KERI identity management. Refs stored under `refs/auths/` and `refs/keri/`.
 
-**auths-id**: Identity and attestation logic. Stores data as Git refs under `refs/auths/` and `refs/keri/`. Key traits: `IdentityStorage`, `AttestationSource`, `AttestationSink`.
+**auths-storage**: Storage backend implementations — `GitAttestationStorage`, `GitIdentityStorage`, `GitRefSink`, `GitRegistryBackend`.
 
 **auths-cli**: Command-line interface with three binaries: `auths`, `auths-sign`, `auths-verify`. Uses clap for argument parsing.
 

Cargo.toml

@@ -9,7 +9,6 @@ members = [
   "crates/auths-policy",
   "crates/auths-verifier",
   "crates/auths-telemetry",
-  "crates/auths-test-utils",
   "crates/auths-crypto",
   "crates/auths-sdk",
   "crates/auths-infra-git",
@@ -22,7 +21,7 @@ exclude = [
 ]
 
 [workspace.package]
-version = "0.0.1-rc.1"
+version = "0.0.1-rc.3"
 license = "Apache-2.0"
 rust-version = "1.93"
 
@@ -35,15 +34,14 @@ thiserror = "2"
 uuid = { version = "1", features = ["v4"] }
 git2 = "0.20.4"
 
-auths-core = { path = "crates/auths-core", version = "0.0.1-rc.1" }
-auths-id = { path = "crates/auths-id", version = "0.0.1-rc.1" }
-auths-verifier = { path = "crates/auths-verifier", version = "0.0.1-rc.1", default-features = false }
-auths-policy = { path = "crates/auths-policy", version = "0.0.1-rc.1" }
-auths-index = { path = "crates/auths-index", version = "0.0.1-rc.1" }
-auths-telemetry = { path = "crates/auths-telemetry", version = "0.0.1-rc.1" }
-auths-crypto = { path = "crates/auths-crypto", version = "0.0.1-rc.1", default-features = false }
-auths-sdk = { path = "crates/auths-sdk", version = "0.0.1-rc.1" }
-auths-test-utils = { path = "crates/auths-test-utils", version = "0.0.1-rc.1" }
-auths-infra-git = { path = "crates/auths-infra-git", version = "0.0.1-rc.1" }
-auths-infra-http = { path = "crates/auths-infra-http", version = "0.0.1-rc.1" }
-auths-storage = { path = "crates/auths-storage", version = "0.0.1-rc.1" }
+auths-core = { path = "crates/auths-core", version = "0.0.1-rc.3" }
+auths-id = { path = "crates/auths-id", version = "0.0.1-rc.3" }
+auths-verifier = { path = "crates/auths-verifier", version = "0.0.1-rc.3", default-features = false }
+auths-policy = { path = "crates/auths-policy", version = "0.0.1-rc.3" }
+auths-index = { path = "crates/auths-index", version = "0.0.1-rc.3" }
+auths-telemetry = { path = "crates/auths-telemetry", version = "0.0.1-rc.3" }
+auths-crypto = { path = "crates/auths-crypto", version = "0.0.1-rc.3", default-features = false }
+auths-sdk = { path = "crates/auths-sdk", version = "0.0.1-rc.3" }
+auths-infra-git = { path = "crates/auths-infra-git", version = "0.0.1-rc.3" }
+auths-infra-http = { path = "crates/auths-infra-http", version = "0.0.1-rc.3" }
+auths-storage = { path = "crates/auths-storage", version = "0.0.1-rc.3" }

crates/auths-cli/Cargo.toml

@@ -48,7 +48,7 @@ bs58 = "0.5.1"
 git2 = "0.20.4"
 dirs = "6.0.0"
 chrono = "0.4.40"
-jsonschema = "0.42.2"
+jsonschema = { version = "0.42.2", default-features = false }
 rpassword = "7.3.1"
 log = "0.4.27"
 json-canon = "0.1"
@@ -87,7 +87,7 @@ lan-pairing = ["dep:axum", "dep:tower", "dep:tower-http", "dep:mdns-sd", "dep:to
 nix = { version = "0.29", features = ["signal", "process"] }
 
 [dev-dependencies]
-auths-test-utils.workspace = true
+auths-crypto = { workspace = true, features = ["test-utils"] }
 assert_cmd = "2"
 tempfile = "3"
 predicates = "2"

crates/auths-cli/tests/cases/preset.rs

@@ -1,7 +1,8 @@
-use auths_id::storage::attestation::{AttestationSource, GitAttestationStorage};
-use auths_id::storage::identity::{GitIdentityStorage, IdentityStorage};
+use auths_id::storage::attestation::AttestationSource;
+use auths_id::storage::identity::IdentityStorage;
 use auths_id::storage::layout::StorageLayoutConfig;
 use auths_id::storage::layout::{attestation_ref_for_device, identity_ref};
+use auths_storage::git::{GitAttestationStorage, GitIdentityStorage};
 use auths_verifier::types::DeviceDID;
 use tempfile::tempdir;
 

crates/auths-cli/tests/cases/verify.rs

@@ -1,7 +1,7 @@
 #![allow(deprecated)] // cargo_bin is deprecated but replacement requires significant refactor
 
 use assert_cmd::Command;
-use auths_test_utils::crypto::gen_keypair;
+use auths_crypto::testing::gen_keypair;
 use auths_verifier::IdentityDID;
 use auths_verifier::core::{
     Attestation, CanonicalAttestationData, Ed25519PublicKey, Ed25519Signature, ResourceId,

crates/auths-core/Cargo.toml

@@ -76,7 +76,6 @@ secret-service = { version = "5.0", features = ["rt-tokio-crypto-rust"], optiona
 windows = { version = "0.58", features = ["Security_Credentials", "Foundation_Collections"], optional = true }
 
 [dev-dependencies]
-auths-test-utils.workspace = true
 ring.workspace = true
 anyhow = "1.0"
 assert_matches = "1.5.0"
@@ -90,7 +89,7 @@ harness = false
 
 [features]
 default = []
-test-utils = []
+test-utils = ["auths-crypto/test-utils"]
 keychain-linux-secretservice = ["dep:secret-service"]
 keychain-windows = ["dep:windows"]
 keychain-file-fallback = []

crates/auths-test-utils/src/fakes/id.rs → crates/auths-core/src/testing/deterministic_uuid.rs

@@ -1,4 +1,4 @@
-use auths_core::ports::id::UuidProvider;
+use crate::ports::id::UuidProvider;
 use std::sync::atomic::{AtomicU64, Ordering};
 use uuid::Uuid;
 
@@ -8,7 +8,7 @@ use uuid::Uuid;
 ///
 /// Usage:
 /// ```ignore
-/// use auths_test_utils::fakes::id::DeterministicUuidProvider;
+/// use auths_core::testing::DeterministicUuidProvider;
 /// use auths_core::ports::id::UuidProvider;
 ///
 /// let provider = DeterministicUuidProvider::new();
@@ -20,6 +20,7 @@ pub struct DeterministicUuidProvider {
 }
 
 impl DeterministicUuidProvider {
+    /// Create a new provider starting at counter 0.
     pub fn new() -> Self {
         Self {
             counter: AtomicU64::new(0),

crates/auths-test-utils/src/storage_fakes.rs → crates/auths-core/src/testing/in_memory_storage.rs

@@ -1,4 +1,4 @@
-use auths_core::ports::storage::{
+use crate::ports::storage::{
     BlobReader, BlobWriter, EventLogReader, EventLogWriter, RefReader, RefWriter, StorageError,
 };
 use auths_verifier::keri::Prefix;
@@ -12,7 +12,7 @@ use std::sync::Mutex;
 ///
 /// Usage:
 /// ```ignore
-/// use auths_test_utils::storage_fakes::InMemoryStorage;
+/// use auths_core::testing::InMemoryStorage;
 /// use auths_core::ports::storage::BlobWriter;
 ///
 /// let store = InMemoryStorage::new();
@@ -25,6 +25,7 @@ pub struct InMemoryStorage {
 }
 
 impl InMemoryStorage {
+    /// Create a new empty in-memory storage instance.
     pub fn new() -> Self {
         Self {
             blobs: Mutex::new(HashMap::new()),

crates/auths-core/src/testing/mod.rs

@@ -37,6 +37,8 @@
 //! [`KeyStorage`]: crate::storage::KeyStorage
 
 mod builder;
+mod deterministic_uuid;
+mod in_memory_storage;
 
 // Re-export test utilities from storage::memory
 pub use crate::storage::memory::{
@@ -46,3 +48,7 @@ pub use crate::storage::memory::{
 
 // Re-export builder types
 pub use builder::{TestIdentity, TestIdentityBuilder, TestPassphraseProvider};
+
+// Re-export deterministic UUID provider and in-memory storage
+pub use deterministic_uuid::DeterministicUuidProvider;
+pub use in_memory_storage::InMemoryStorage;

crates/auths-crypto/Cargo.toml

@@ -12,6 +12,7 @@ categories = ["cryptography"]
 default = ["native"]
 native = ["dep:ring", "dep:tokio"]
 wasm = ["dep:js-sys", "dep:wasm-bindgen", "dep:wasm-bindgen-futures", "dep:web-sys"]
+test-utils = ["dep:ring"]
 
 [dependencies]
 async-trait = "0.1"

crates/auths-crypto/src/lib.rs

@@ -28,5 +28,8 @@ pub use provider::{
 #[cfg(all(feature = "native", not(target_arch = "wasm32")))]
 pub use ring_provider::RingCryptoProvider;
 pub use ssh::{SshKeyError, openssh_pub_to_raw_ed25519};
+#[cfg(all(any(test, feature = "test-utils"), not(target_arch = "wasm32")))]
+pub mod testing;
+
 #[cfg(feature = "wasm")]
 pub use webcrypto_provider::WebCryptoProvider;

crates/auths-crypto/tests/cases/provider.rs

@@ -1,11 +1,5 @@
+use auths_crypto::testing::create_test_keypair;
 use auths_crypto::{CryptoProvider, RingCryptoProvider};
-use ring::signature::{Ed25519KeyPair, KeyPair};
-
-fn create_test_keypair(seed: &[u8; 32]) -> (Ed25519KeyPair, [u8; 32]) {
-    let keypair = Ed25519KeyPair::from_seed_unchecked(seed).unwrap();
-    let public_key: [u8; 32] = keypair.public_key().as_ref().try_into().unwrap();
-    (keypair, public_key)
-}
 
 #[tokio::test]
 async fn ring_provider_verifies_valid_signature() {

crates/auths-id/Cargo.toml

@@ -15,6 +15,7 @@ default = ["git-storage"]
 git-storage = ["dep:git2", "dep:dirs", "dep:tempfile", "dep:tokio"]
 indexed-storage = ["auths-index"]
 witness-client = ["dep:auths-infra-http"]
+test-utils = ["auths-crypto/test-utils", "dep:mockall"]
 
 [dependencies]
 async-trait = "0.1"
@@ -30,7 +31,7 @@ dirs = { version = "6.0.0", optional = true }
 git2 = { version = "0.20.4", optional = true }
 hex = { version = "0.4.3", features = ["serde"] }
 json-canon = "0.1.3"
-jsonschema = "0.42.2"
+jsonschema = { version = "0.42.2", default-features = false }
 log = "0.4.27"
 multibase = "0.9.1"
 pkcs8 = "0.10"
@@ -45,27 +46,23 @@ tokio = { version = "1", features = ["rt", "sync"], optional = true }
 url = { version = "2", features = ["serde"] }
 uuid = "1.16.0"
 zerocopy = "0.8.24"
+mockall = { version = "0.13", optional = true }
 
 # Optional dependencies
 auths-index = { workspace = true, optional = true }
 auths-infra-http = { workspace = true, optional = true }
 
 [dev-dependencies]
 auths-core = { workspace = true, features = ["test-utils"] }
+auths-infra-git = { workspace = true, features = ["test-utils"] }
 criterion = { version = "0.8.2", features = ["html_reports"] }
 rand = "0.10.0"
 base58 = "0.2"
 proptest = "1.4"
 serial_test = "3"
-auths-test-utils.workspace = true
-auths-storage = { workspace = true, features = ["backend-git"] }
 futures = "0.3"
 tokio = { version = "1", features = ["macros", "rt-multi-thread"] }
 
-[[bench]]
-name = "registry"
-harness = false
-
 [lints.clippy]
 print_stdout = "deny"
 print_stderr = "deny"